In the 10 months since the Homeland Security Department started requiring agencies to fix all critical vulnerabilities within a month, 39 of the more than 360 at-risk cases remain unpatched.
Combine that with a number of small agencies struggling to modernize their legacy systems and a trio of major agencies that can’t meet deadlines for security updates, “we’ve got to up our game,” said House Oversight and Government Reform Chairman Jason Chaffetz (R-Utah).
“The federal government has spent more than $525 billion on IT, and it doesn’t work,” Chaffetz said during an April 20 House oversight hearing.
Andy Ozment, DHS assistant secretary for cybersecurity and communications, said that part of the problem is agencies are using old systems and software, which his department considers critical vulnerabilities.
“Some of our most challenging discoveries are unsupported devices, particularly at smaller departments and agencies, who may lack the resources or the expertise to upgrade these very legacy systems,” Ozment said. “I think this is a major risk for the government.”
Status quo must change
Rep. William Hurd (R-Texas) highlighted the importance of patching a vulnerable system in a line of questioning, about a December announcement from Juniper Networks that its ScreenOS software had been hacked.
The company sent out an “emergency security patch” to clients, including 12 federal agencies. In January, the oversight committee sent letters to 24 agencies asking about any systems that run the Juniper software.
“Of the 12 agencies affected, three, including the Department of Treasury, took longer than 50 days to fully install patches and mitigate the threat posed by this vulnerability,” Hurd said. “This is absolutely unacceptable. The inability of federal agencies to maintain a comprehensive view and inventory of their information systems and respond to Congress in a timely manner cannot be the status quo.”
The other two agencies were NASA and the Department of Commerce. Neither agency immediately responded to a request for comment.
“Could we have done it a little bit faster? Yes,” said Treasury Chief Information Officer Sanjeev Bhagowalia, during his testimony at the hearing.
But the challenges a large agency such as Treasury faces should be considered in reporting on vulnerabilities and how they are mitigated, Bhagowalia said.
“In many cases, the devices that must be patched are part of complex systems with several legacy components that may not be compatible with a given security fix,” Bhagowalia said. “To the extent possible, and especially in instances where time is of the essence, Treasury employs a risk-based approach to vulnerability remediation. Given the realities of a limited resource environment, Treasury and its bureaus start by remediating vulnerabilities on assets with the greatest risk exposure first, and move systematically to remediate the remaining assets.”
Treasury said 57 devices had the Juniper vulnerability, but only four of them were connected to the internet.
Bhagowalia said the agency has looked in detail at the four devices in question, and brought in outside experts to help with a risk analysis.
“We’re pretty confident we did a detailed risk analysis,” Bhagowalia said. “That’s why we took a little bit of time … to really look into detail and make sure there’s nothing going on. We absolutely appreciate the concern … we also know that this vulnerability is quite serious. We looked at it, there was nothing that we could see.”
The department has no evidence of any theft or compromise of Treasury data, systems or networks, as it relates to the issue with Juniper devices, a Treasury spokesman said in an email to Federal News Radio.
“The risk posed to Treasury was largely mitigated by strong security measures. Treasury addressed this matter within a week of discovering the issue,” the spokesman said. “Treasury is committed to maintaining secure IT networks and complying with federal IT security rules.”
Hurd also asked for hard numbers in terms of how much software Treasury is using without the support of a vendor.
Bhagowalia said Treasury has 329 systems and that a “small percentage” is operating with software no longer supported by the vendor.
The alert from DHS about the Juniper flaw is one example of how the National Protection and Programs Directorate within DHS is serving as the “hub” for cybersecurity information sharing between the public and private sector, Ozment said.
Over the last month, DHS has shared more than 2,000 indicators with the private sector, though an indicator is not necessarily a cyber incident, he told the committee.
Widespread neglect puts NASA’s networks in jeopardy